{ "Event": { "analysis": "1", "date": "2026-02-20", "extends_uuid": "", "info": "[Threat Intel] AI-augmented threat actor accesses FortiGate devices at scale", "protected": false, "publish_timestamp": "1779544286", "published": true, "threat_level_id": "3", "timestamp": "1777217043", "uuid": "38399012-693d-4eae-b0e6-44518a97250b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#fb3bcd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#aff0ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#55e7ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001\"", "relationship_type": "" }, { "colour": "#07ff3c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#17f935", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Pass the Ticket - T1550.003\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#2da3e8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Network Information - T1590\"", "relationship_type": "" }, { "colour": "#70b0b5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Brute Force - T1110\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#a05856", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#1ef2bb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Pass the Hash - T1550.002\"", "relationship_type": "" }, { "colour": "#a64427", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DCSync - T1003.006\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776855613", "to_ids": false, "type": "link", "uuid": "2826fadd-ea36-44e2-933f-1aa4c0c5ef25", "value": "https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776855613", "to_ids": false, "type": "text", "uuid": "faf85e98-725c-433c-b66f-746e1b4700ed", "value": "A Russian-speaking financially motivated threat actor leveraged multiple commercial generative AI services to compromise over 600 FortiGate devices across more than 55 countries between January and February 2026. The campaign exploited exposed management ports and weak credentials with single-factor authentication rather than software vulnerabilities. The actor used AI throughout all operational phases including tool development, attack planning, and reconnaissance automation, achieving scale previously requiring larger skilled teams. Post-exploitation activities included Active Directory compromise, credential harvesting, and targeting backup infrastructure consistent with pre-ransomware operations. Despite limited technical capabilities, the actor successfully extracted complete credential databases from multiple organizations, though they failed against hardened environments and moved to softer targets." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776855613", "to_ids": false, "type": "text", "uuid": "1b7d4424-c506-4905-8782-a31221d5cac5", "value": "Name: AI-augmented threat actor accesses FortiGate devices at scale\nAuthor: AlienVault\nAdversary: \nTags: [\"russian-speaking actor\", \"ai-augmented attacks\", \"mimikatz\", \"cve-2023-27532\", \"backup infrastructure targeting\", \"vpn exploitation\", \"active directory compromise\", \"cve-2024-40711\", \"meterpreter\", \"fortigate\", \"dcsync\", \"credential abuse\", \"cve-2019-7192\"]\nTgtd countries: []\nMlwr families: [\"Meterpreter\", \"mimikatz\"]\nAttack_ids: [\"T1592\", \"T1133\", \"T1069\", \"T1135\", \"T1190\", \"T1021.002\", \"T1557.001\", \"T1003.001\", \"T1087\", \"T1550.003\", \"T1552.001\", \"T1590\", \"T1110\", \"T1078\", \"T1485\", \"T1018\", \"T1046\", \"T1550.002\", \"T1003.006\", \"T1490\"]\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776855613", "to_ids": false, "type": "vulnerability", "uuid": "910be1d1-da64-4998-8a9f-5ce8030b72d2", "value": "CVE-2019-7192" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776855613", "to_ids": false, "type": "vulnerability", "uuid": "a991db8f-866f-4ba0-b9d9-f3c1d036e632", "value": "CVE-2023-27532" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214698", "to_ids": true, "type": "ip-dst", "uuid": "92665f16-4d6a-4ada-8ee6-31465db0efea", "value": "185.196.11.225", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776855613", "to_ids": false, "type": "vulnerability", "uuid": "a95528a8-3dc9-47de-a2e2-471cce09c0b9", "value": "CVE-2024-40711" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214719", "to_ids": true, "type": "ip-dst", "uuid": "ba0acad1-0856-4a44-a0dc-fe48b476e38a", "value": "212.11.64.250", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }